Cisco CCNP ENARSI 300-410 (300-410) — Questions 151225

2152 questions total · 29pages · All types, answers revealed

Page 2

Page 3 of 29

Page 4
151
MCQhard

An engineer configures OSPF on two routers connected via a serial link. The MTU on one side is 1500 and on the other is 1400. The OSPF adjacency forms but stays stuck in EXSTART state. Which is the most likely explanation?

A.The router with the larger MTU cannot process OSPF hello packets from the neighbor.
B.The router with the smaller MTU rejects DBD packets that exceed its MTU, preventing the exchange of LSAs.
C.The OSPF network type must be point-to-point for serial links; otherwise, the adjacency fails.
D.The OSPF process ID must match on both routers for adjacency to form.
AnswerB

DBD packets must fit within the interface MTU; a mismatch causes the adjacency to stall in EXSTART.

Why this answer

OSPF uses the interface MTU to determine the maximum size of Database Description (DBD) packets. If the MTU mismatches, the router with the smaller MTU will reject DBD packets from the neighbor, causing the adjacency to remain in EXSTART state.

152
MCQmedium

A network engineer runs the following command to troubleshoot a VRF-Lite MPLS LDP issue: R1# show mpls ldp bindings vrf CUSTOMER_F Output: lib entry: 10.4.4.0/24, rev 2 local binding: label: 16 remote binding: lsr: 2.2.2.2:0, label: 20 lib entry: 10.5.5.0/24, rev 3 local binding: label: 17 remote binding: lsr: 2.2.2.2:0, label: 21 What does this output indicate?

A.MPLS LDP has not established a session with the remote LSR 2.2.2.2.
B.The VRF CUSTOMER_F has two prefixes with local labels 16 and 17, and remote labels 20 and 21 from LSR 2.2.2.2.
C.The labels are not being used because the VRF is not configured correctly.
D.The remote LSR is using the same labels as the local router.
AnswerB

Correct. The output shows local and remote label bindings for two prefixes.

Why this answer

The 'show mpls ldp bindings vrf' command displays MPLS label bindings for a specific VRF. The output shows two prefixes (10.4.4.0/24 and 10.5.5.0/24) with local labels (16 and 17) and remote labels (20 and 21) from LSR 2.2.2.2. This indicates that LDP has successfully exchanged labels for these prefixes within the VRF.

153
MCQhard

Which syslog facility code is used by default for Cisco IOS messages when sent to a syslog server?

A.Facility 16 (local0)
B.Facility 20 (local4)
C.Facility 23 (local7)
D.Facility 24 (no default)
AnswerB

Cisco IOS uses local4 (facility 20) as the default syslog facility.

Why this answer

Cisco IOS defaults to facility code 20 (local4) for syslog messages.

154
MCQmedium

A network engineer runs the following command to troubleshoot an MPLS L3VPN issue: R1# debug ip bgp updates Output: *Mar 1 00:01:23.456: BGP(0): 10.0.0.2 UPDATE out w/ attr: nexthop 10.0.0.1, origin i, metric 0, path 65000, extended community RT:100:100 *Mar 1 00:01:23.456: BGP(0): 10.0.0.2 UPDATE out for 10.1.1.0/24 *Mar 1 00:01:23.456: BGP(0): 10.0.0.2 UPDATE run, update group 1 What does this output indicate?

A.R1 is advertising prefix 10.1.1.0/24 to BGP peer 10.0.0.2
B.R1 is receiving an update for 10.1.1.0/24 from 10.0.0.2
C.R1 is withdrawing prefix 10.1.1.0/24
D.R1 is using OSPF to advertise the prefix
AnswerA

The output clearly shows an UPDATE out for 10.1.1.0/24 to 10.0.0.2.

Why this answer

The debug ip bgp updates output shows that router R1 is sending a BGP update to neighbor 10.0.0.2 for prefix 10.1.1.0/24. The attributes include next hop 10.0.0.1, origin IGP, metric 0, AS path 65000, and extended community RT:100:100. This indicates a VPNv4 update is being advertised.

155
MCQhard

Which BGP attribute is considered 'well-known mandatory' and must be present in all BGP update messages?

A.LOCAL_PREF
B.AS_PATH
C.MED
D.COMMUNITY
AnswerB

Correct. AS_PATH is well-known mandatory.

Why this answer

The AS_PATH attribute is well-known mandatory, meaning it must be included in all BGP updates. Other well-known mandatory attributes include NEXT_HOP and ORIGIN.

156
MCQeasy

Which NetFlow version introduced the concept of templates to support variable-length flow records?

A.NetFlow version 5
B.NetFlow version 9
C.NetFlow version 8
D.NetFlow version 10 (IPFIX)
AnswerB

Correct. Version 9 introduced template-based flow records.

Why this answer

NetFlow version 9 introduced templates, allowing flexible and extensible flow record formats.

157
MCQhard

A network engineer configures SNMPv3 with authentication only (no privacy) on a router. The NMS can poll the router successfully. Later, the engineer adds the 'priv' option to the user configuration. The NMS now fails to poll the router. Which is the most likely explanation?

A.The NMS is still configured with the old credentials that do not include the privacy protocol and key.
B.The router's SNMP engine ID changed when the user was modified.
C.The privacy protocol (e.g., AES) is not supported on the router.
D.The NMS must restart to recognize the new security level.
AnswerA

SNMPv3 requires that both the agent and NMS agree on the security level; if the agent requires privacy but the NMS does not provide it, the request fails.

Why this answer

When privacy is added to an SNMPv3 user, the NMS must be configured with the privacy protocol and key. If the NMS is still using the old credentials without privacy, authentication may succeed but privacy decryption fails, causing the response to be discarded.

158
MCQhard

An engineer configures BFD for BGP between two directly connected eBGP peers. The BFD session is up, but BGP remains in the Idle state. The engineer verifies that the BGP configuration is correct and that TCP port 179 is reachable. What is the most likely cause?

A.The eBGP neighbor is not on the same subnet, and the 'ebgp-multihop' command is missing, preventing TCP connection.
B.The BFD session is using a different source IP than the BGP update-source, causing BGP to ignore BFD state.
C.The BGP neighbor is configured with a password, but BFD does not support authentication, causing a mismatch.
D.The 'bgp bestpath med missing-as-worst' command is configured, causing BGP to reject the neighbor.
AnswerA

Correct. For eBGP, if the neighbor is not directly connected (same subnet), the 'ebgp-multihop' command is required. BFD does not affect this requirement.

Why this answer

BGP requires that the 'update-source' interface matches the source IP used for BFD. If BFD is configured on a different interface than the one used for the BGP TCP connection, BFD will not detect failures of the actual BGP path. However, in this case, BGP is stuck in Idle, which typically indicates a TCP connection issue.

A common edge case is that the 'ebgp-multihop' command is required even for directly connected eBGP peers if the neighbor is not on the same subnet. BFD does not compensate for this.

159
MCQhard

An engineer configures IPsec between two routers using a site-to-site VPN. The tunnel is established, but traffic is not encrypted. The engineer checks the crypto map and sees that the ACL for interesting traffic is configured correctly. Which is the most likely explanation?

A.The ACL on the remote router does not mirror the local ACL, so the remote router does not initiate an SA for the return traffic.
B.The crypto map is applied to the wrong interface (e.g., the inside interface instead of the outside interface).
C.The transform set uses ESP with authentication only, which does not provide encryption.
D.The IKE policy uses aggressive mode, which does not support encryption.
AnswerA

IPsec requires matching ACLs on both sides. If the remote ACL does not permit the return traffic, the SA will not be established for that direction, and traffic may be sent unencrypted.

Why this answer

A common edge case is that the ACL for interesting traffic is applied to the wrong interface or in the wrong direction. In site-to-site VPNs, the crypto map is applied to the outbound interface of the traffic. However, if the ACL is configured with the wrong source/destination (e.g., using the tunnel IP instead of the real IP), traffic will not match.

Another less obvious issue is that the ACL must be symmetric; if the ACL on one router permits traffic from A to B, the other router must permit traffic from B to A. If one side is missing, the traffic may be sent but not encrypted because the other side does not have a matching SA.

160
MCQhard

On a DMVPN Phase 2 hub-and-spoke network, an engineer applies an inbound IPv4 ACL on the tunnel interface of a spoke router to permit only traffic from specific spoke IPs. After the ACL is applied, the spoke cannot establish a direct spoke-to-spoke tunnel with another spoke, even though NHRP resolution succeeds. What is the most likely explanation?

A.The ACL is filtering the outer IP header of the mGRE tunnel, blocking spoke-to-spoke traffic.
B.The ACL is filtering NHRP packets, preventing spoke-to-spoke resolution.
C.The spoke has a misconfigured NHRP authentication key.
D.The ACL is applied outbound, filtering outgoing traffic.
AnswerA

The ACL on the tunnel interface filters the encapsulated packets; if it only permits the hub's IP, traffic from other spokes is denied.

Why this answer

In a DMVPN Phase 2 network, spoke-to-spoke traffic is encapsulated in a new IP header with the destination IP set to the target spoke's public address. When an inbound ACL is applied to the spoke's tunnel interface, it filters traffic after decapsulation, meaning it inspects the inner (original) IP header. However, the ACL is applied on the physical interface or the tunnel interface in a way that inadvertently filters the outer IP header of the mGRE tunnel, blocking the encapsulated spoke-to-spoke packets before they can be processed.

Since NHRP resolution succeeds, the spoke knows the peer's address, but the actual data traffic is dropped because the ACL denies the outer encapsulation.

Exam trap

Cisco often tests the distinction between filtering the outer IP header (physical interface) versus the inner IP header (tunnel interface) in DMVPN, leading candidates to incorrectly assume that an ACL on the tunnel interface always inspects the inner packet, when in fact the ACL placement and direction determine which header is evaluated.

How to eliminate wrong answers

Option B is wrong because NHRP resolution succeeds, indicating that NHRP packets (which use UDP port 1701) are not being filtered by the ACL; if they were, the spoke would not be able to resolve the target spoke's address. Option C is wrong because a misconfigured NHRP authentication key would prevent NHRP registration and resolution entirely, but the question states NHRP resolution succeeds. Option D is wrong because the ACL is explicitly stated as inbound on the tunnel interface; an outbound ACL would affect traffic leaving the spoke, not incoming spoke-to-spoke traffic, and the issue is with receiving traffic from the other spoke.

161
MCQeasy

A network engineer runs the following command to troubleshoot an Administrative Distance issue: R1# show ip route summary Route Source Networks Subnets Overhead Memory (bytes) connected 2 0 0 512 static 1 0 0 256 eigrp 100 3 0 0 768 ospf 1 2 0 0 512 bgp 65001 1 0 0 256 internal 1 0 0 256 Total 10 0 0 2560 What does this output indicate?

A.The router has 10 routes total, with EIGRP contributing the most routes.
B.The administrative distance for EIGRP routes is 90.
C.The router is redistributing between OSPF and EIGRP.
D.The BGP route is preferred over the OSPF route for the same prefix.
AnswerA

EIGRP has 3 networks, which is the highest count among protocols.

Why this answer

The output shows a summary of routes from different sources. It does not show administrative distance values directly, but it lists the routing protocols and their route counts.

162
Multi-Selecthard

Which TWO statements about the syslog message format and its fields are correct? (Choose TWO.)

Select 1 answer
A.The facility code in a syslog message identifies the type of process that generated the message, such as local7 (value 23).
B.The severity level in a syslog message ranges from 0 (debugging) to 7 (emergency).
C.By default, Cisco IOS includes a sequence number in every syslog message when logging is enabled.
D.The timestamp in a syslog message from a Cisco device is formatted as DD/MM/YYYY HH:MM:SS by default.
E.The hostname field in a syslog message is derived from the IP address of the interface that sends the message.
AnswersA

Correct. Facility codes indicate the source process; local7 is commonly used for Cisco network devices and has a value of 23.

Why this answer

Syslog messages follow RFC 5424 or the older BSD format. The facility code indicates the source process (e.g., local7 is 23), and the severity level is from 0 (emergency) to 7 (debugging). The sequence number is optional and not present by default.

The timestamp format is typically MMM DD HH:MM:SS in IOS, not DD/MM/YYYY. The hostname is the device's configured hostname, not the IP address of the sending interface.

163
MCQhard

A network engineer configures SNMPv3 with authentication and privacy on a router. The NMS polls the router successfully. The engineer then configures IPsec to encrypt all traffic between the router and the NMS. The NMS now fails to poll the router. Which is the most likely explanation?

A.The IPsec configuration does not include an ACL that matches SNMP traffic (UDP port 161).
B.SNMPv3 encryption and IPsec encryption are incompatible and cannot be used together.
C.The IPsec configuration uses aggressive mode, which is incompatible with SNMPv3.
D.The router's SNMP process must be restarted after IPsec is configured.
AnswerA

If the IPsec crypto map's ACL does not match SNMP packets, the traffic is sent in clear text, but the NMS may expect encrypted traffic or the router may not process the packets correctly.

Why this answer

IPsec encryption of SNMP traffic can cause issues if the IPsec configuration does not match the SNMP traffic or if the IPsec security association (SA) is not established. Additionally, SNMPv3 already provides encryption; double encryption may cause performance issues or misconfiguration.

164
MCQhard

An engineer configures EIGRP named mode on a router and uses an offset-list to increase the feasible distance (FD) of a specific route. Unexpectedly, the route is still installed in the routing table with the original metric. Which is the most likely explanation?

A.The offset-list was applied to outbound updates instead of inbound, so it affected the FD on the neighbor, not the local router.
B.The offset-list value was too large, causing the route to be suppressed.
C.The offset-list was applied to the wrong interface.
D.The route is a connected route, and offset-lists do not affect connected routes.
AnswerA

Correct. Offset-list direction matters; outbound affects neighbor's FD.

Why this answer

In EIGRP, the offset-list modifies the metric of routes received or sent, but it affects the FD only if the route is the successor. However, if the route is a feasible successor, the offset-list may not change the FD for the successor path. Additionally, the offset-list in named mode applies to the topology table entry, but the route selection still uses the original metric if the offset-list is applied incorrectly (e.g., to the wrong direction).

165
MCQmedium

When using an extended ACL to filter traffic, which fields can be matched? (Choose the most complete answer.)

A.Only source IP address.
B.Source and destination IP addresses, protocol, and port numbers.
C.Source IP address and destination port number only.
D.MAC address and IP address.
AnswerB

Correct. Extended ACLs can match these fields for fine-grained filtering.

Why this answer

Extended ACLs (access control lists) operate at Layer 3 and Layer 4 of the OSI model, allowing matching on source and destination IP addresses, protocol (e.g., TCP, UDP, ICMP), and port numbers. This granularity enables precise traffic filtering beyond the source-only limitation of standard ACLs. Option B correctly lists all these matchable fields, making it the most complete answer.

Exam trap

Cisco often tests the distinction between standard and extended ACLs, trapping candidates who forget that extended ACLs can match protocol and port numbers in addition to source and destination IP addresses, leading them to choose an incomplete option like C or A.

How to eliminate wrong answers

Option A is wrong because it describes a standard ACL, which only matches on source IP address, not the extended ACL's capability. Option C is wrong because it omits destination IP address and protocol, which are essential fields in an extended ACL; extended ACLs can match both source and destination ports, not just destination. Option D is wrong because MAC addresses are Layer 2 fields matched by MAC ACLs or port security, not by extended IP ACLs; extended ACLs do not filter based on MAC addresses.

166
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip ospf database OSPF Router with ID (10.1.1.1) (Process ID 1) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count 10.1.1.1 10.1.1.1 100 0x80000001 0x00A0B0 1 10.2.2.2 10.2.2.2 200 0x80000003 0x00C0D0 2 Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum 10.1.1.2 10.1.1.2 150 0x80000001 0x00E0F0 R1# show ip route ospf 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks O 10.2.2.0/24 [110/20] via 10.1.1.2, 00:10:00, FastEthernet0/0 Based on this output, what is a likely issue?

A.A route-map is filtering OSPF routes, causing only one route to be installed.
B.OSPF is not running on any interface.
C.The router ID is misconfigured.
D.The area is not configured correctly.
AnswerA

The database has more routes than the routing table, indicating filtering.

Why this answer

The OSPF database shows two routers and a net link, but only one OSPF route is in the routing table. This could be due to a route-map filtering OSPF routes. The correct answer is that a route-map may be filtering some OSPF routes from being installed.

167
MCQmedium

A network engineer is troubleshooting a BGP route summarization issue. Router R1 is configured with the 'aggregate-address 192.168.0.0 255.255.252.0' command without any keywords. The engineer notices that the ISP neighbor is receiving both the aggregate route and the more specific routes (192.168.0.0/24, 192.168.1.0/24, etc.), causing the ISP to prefer the specific routes. What should the engineer do to ensure the aggregate route is preferred?

A.Add the 'summary-only' keyword to the aggregate-address command.
B.Remove the network statements for the specific subnets from the BGP process.
C.Configure a route-map to set a higher local preference on the aggregate route.
D.Use the 'aggregate-address' command with the 'as-set' keyword.
AnswerA

Correct. The summary-only keyword suppresses the advertisement of more specific routes, leaving only the aggregate route.

Why this answer

By default, BGP prefers more specific routes over less specific ones. To make the aggregate route preferred, the engineer can use the 'summary-only' keyword to suppress specific routes, or use attributes like AS_PATH to make the aggregate more attractive.

168
Multi-Selecthard

An engineer must configure NAT so that inside hosts (192.168.1.0/24) are translated to a public IP pool (203.0.113.1-203.0.113.10) when accessing the Internet, but must NOT translate traffic destined to a VPN subnet (10.10.10.0/24) reachable via the same outside interface. Which TWO configuration steps are required? (Choose TWO.)

Select 2 answers
A.Create an ACL that denies 10.10.10.0 0.0.0.255 and permits any, then reference it in a route map with 'match ip address'.
B.Apply 'ip nat inside source list 1 interface GigabitEthernet0/0 overload' where ACL 1 permits 192.168.1.0 0.0.0.255.
C.Use 'ip nat inside source route-map RMAP pool POOL' where the route map matches the ACL from step A.
D.Configure 'ip nat inside source static 192.168.1.1 203.0.113.1' for each host to ensure translation.
E.Apply 'ip access-group 100 in' on the inside interface to block traffic to the VPN subnet.
AnswersA, C

Correct. The ACL denies the VPN subnet, so the route map will not match traffic to that destination, thus exempting it from NAT.

Why this answer

To exempt certain destinations from NAT, a route map with 'match ip address' for the ACL that denies the VPN subnet is used. The ACL must deny the VPN subnet and permit all other traffic. The 'ip nat inside source route-map' command then applies this route map to the NAT translation.

Using a second ACL on the inside interface or a static NAT would not achieve the desired selective exemption.

169
Multi-Selecthard

An engineer wants to ensure that OSPF-learned routes are preferred over EIGRP-learned routes for a specific destination prefix, without affecting other routes. Which TWO actions will accomplish this? (Choose TWO.)

Select 2 answers
A.Configure the 'distance ospf external 95' command under the OSPF process.
B.Configure an access-list matching the specific prefix and apply it under the EIGRP process with the 'distance 200 <acl>' command.
C.Configure a prefix-list and apply it under the OSPF process with the 'distance 90 <prefix-list>' command.
D.Use the 'maximum-paths' command to increase the number of equal-cost paths, allowing both routes to be installed.
E.Remove the EIGRP process and redistribute EIGRP routes into OSPF with a lower metric.
AnswersB, C

Correct. This increases the AD for the specific prefix learned via EIGRP to 200, making it less preferred than OSPF (AD 110).

Why this answer

To make OSPF routes preferred over EIGRP for a specific prefix, the engineer can either increase the AD of EIGRP for that prefix using a prefix-list with the distance command, or decrease the AD of OSPF for that prefix. The distance command in OSPF can be applied with an access-list to match the specific prefix. Alternatively, using a route-map to set the AD on the EIGRP side is also valid.

Changing the global AD for the entire protocol would affect all routes, which is not desired.

170
MCQhard

An engineer configures unicast Reverse Path Forwarding (uRPF) in strict mode on an interface. After the configuration, legitimate traffic from a customer network is being dropped. The engineer verifies that the customer's IP prefix is in the routing table. Which is the most likely explanation?

A.The router has multiple equal-cost paths to the customer network, and the return path uses a different interface, causing strict uRPF to drop the packet.
B.The customer network uses private IP addresses that are not routable, so uRPF drops them.
C.The interface is configured with 'ip verify unicast source reachable-via any', which is loose mode, not strict mode.
D.The routing table has a default route that points to a different interface, causing uRPF to use the default route for verification.
AnswerA

Strict uRPF requires that the best route to the source points back to the receiving interface. If there are multiple equal-cost paths, the router may choose a different interface for the return path, causing drops.

Why this answer

Strict uRPF checks that the source IP of incoming packets has a route back to the same interface. If there is asymmetric routing, where the return path goes out a different interface, strict uRPF will drop the packets. A common edge case is when the router has multiple equal-cost paths to the source network, and the return traffic uses a different interface than the one the packet arrived on.

In such cases, uRPF strict mode will fail because it only checks the best route, not all routes.

171
Drag & Dropmedium

Drag and drop the steps to troubleshoot route redistribution adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Troubleshooting connectivity failures due to redistribution starts with checking basic Layer 3 reachability, then verifying routing protocol adjacencies, followed by examining the redistribution configuration, then checking for route filtering issues, and finally testing end-to-end connectivity. This order isolates the problem systematically.

172
MCQhard

What is the maximum number of ERSPAN sessions that can be configured on a Cisco IOS-XE router?

A.4
B.8
C.24
D.64
AnswerC

Many Cisco IOS-XE routers support up to 24 ERSPAN sessions.

Why this answer

The maximum number of ERSPAN sessions is platform-dependent, but typically up to 24 sessions on high-end routers like ASR1000 series. This is a hardware/software limitation.

173
MCQhard

An engineer configures PBR with a route-map that sets the next-hop to 10.0.0.2 for traffic from subnet 192.168.1.0/24. The route-map is applied inbound on interface GigabitEthernet0/0. The engineer also enables 'ip cef' globally. Traffic from 192.168.1.0/24 is not being policy-routed; instead, it follows the routing table. What is the most likely cause?

A.CEF is disabled globally, causing PBR to fail.
B.The interface needs the 'ip route-cache policy' command to enable CEF support for PBR.
C.The route-map is missing a 'set interface' command.
D.The ACL in the route-map is using a named ACL instead of a numbered one.
AnswerB

CEF fast-switching bypasses PBR unless policy routing is explicitly enabled in CEF.

Why this answer

PBR and CEF interact in a specific way: PBR is processed in software (process switching) by default, but CEF-switched packets bypass PBR unless 'ip route-cache policy' is enabled on the interface. Without this command, CEF fast-switches packets, ignoring PBR.

174
MCQmedium

Examine the following OSPF configuration on router R1: router ospf 1 network 10.0.0.0 0.255.255.255 area 0 network 192.168.1.0 0.0.0.255 area 1 What is the effect of this configuration?

A.All interfaces with IP addresses in the 10.0.0.0/8 range will be enabled for OSPF in area 0, and interfaces in 192.168.1.0/24 will be in area 1.
B.Only the interface with IP 10.0.0.1 will be in area 0; all other 10.x.x.x interfaces are ignored.
C.The configuration is invalid because OSPF process 1 cannot have two network statements in different areas.
D.The configuration will cause a routing loop between area 0 and area 1.
AnswerA

Correct. The wildcard mask 0.255.255.255 matches the first octet, and 0.0.0.255 matches the last octet.

Why this answer

The network statements define which interfaces participate in OSPF and assign them to areas. The first statement covers all interfaces with IP addresses starting with 10.x.x.x, and the second covers 192.168.1.x. This is a valid configuration.

175
MCQmedium

Examine this partial configuration on Router R3: router ospf 1 redistribute rip subnets metric-type 1 metric 50 What is the effect of the 'metric-type 1' keyword?

A.Redistributed RIP routes become OSPF Type 1 external LSAs, and the metric is the sum of the external metric (50) plus the internal OSPF cost to the ASBR.
B.Redistributed RIP routes become OSPF Type 2 external LSAs with a fixed metric of 50.
C.The 'metric-type 1' is ignored because the 'metric' keyword is also used.
D.The redistributed routes will have a metric of 50 and will not be affected by internal OSPF cost.
AnswerA

Type 1 external LSAs add internal OSPF cost to the external metric.

Why this answer

The metric-type 1 keyword makes the redistributed routes Type 1 external LSAs, which add the internal OSPF cost to the external metric. Type 2 (default) does not add internal cost.

176
Multi-Selecteasy

Which TWO commands can be used to verify the configured logging destinations on a Cisco IOS-XE device? (Choose TWO.)

Select 2 answers
A.show logging
B.show running-config | include logging
C.show log
D.show syslog
E.show debug
AnswersA, B

This command shows the logging status, including destinations such as buffer, console, monitor, and syslog servers.

Why this answer

The 'show logging' command displays the current logging configuration and buffer contents. The 'show running-config | include logging' command shows all logging-related configuration lines. The other commands either show different information or do not exist.

177
MCQmedium

A network engineer runs the following command to troubleshoot OSPF route installation: R1# show ip route ospf Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is not set O 10.1.1.0/24 [110/10] via 10.1.1.2, 00:12:34, GigabitEthernet0/0 O IA 192.168.1.0/24 [110/20] via 10.1.1.2, 00:10:00, GigabitEthernet0/0 O E2 5.5.5.5/32 [110/20] via 10.1.1.2, 00:05:00, GigabitEthernet0/0 What does this output indicate?

A.All OSPF routes are learned from the same next-hop 10.1.1.2.
B.The route to 5.5.5.5/32 is an intra-area route.
C.The route to 192.168.1.0/24 is a directly connected network.
D.The router has a default route installed.
AnswerA

All three OSPF routes have the same next-hop address 10.1.1.2.

Why this answer

The output shows OSPF routes in the routing table, including intra-area, inter-area, and external routes.

178
MCQhard

A network engineer runs the following command on Router R1: R1# show ip route vrf BLUE Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C 10.1.1.0/24 is directly connected, GigabitEthernet0/0 C 10.1.2.0/24 is directly connected, GigabitEthernet0/1 O 10.2.0.0/16 [110/20] via 10.1.1.2, 00:00:15, GigabitEthernet0/0 Based on this output, what is the problem?

A.The OSPF route 10.2.0.0/16 has a next hop of 10.1.1.2, which is unreachable.
B.The OSPF route was learned 15 seconds ago, indicating a recent flap.
C.The VRF BLUE has no default route, which is a problem.
D.The connected routes are not in the routing table.
AnswerB

The age of 00:00:15 suggests the route was recently installed, which could indicate a flapping OSPF neighbor or route instability.

Why this answer

The output shows the routing table for VRF BLUE. It has two connected routes and one OSPF route. The OSPF route (10.2.0.0/16) has been learned recently (00:00:15), which may indicate a flapping neighbor or recent convergence.

However, the key observation is that the OSPF route's next hop is 10.1.1.2, which is reachable via GigabitEthernet0/0. The output is normal; no problem is evident. But if the question implies a problem, it might be that the OSPF route age is very recent, suggesting instability.

However, the correct answer here is that the VRF routing table is correctly populated.

179
MCQmedium

Given the following partial configuration on router R3: ip access-list extended FILTER permit ip 10.0.0.0 0.255.255.255 any deny ip any any ! route-map RMAP permit 10 match ip address FILTER set metric 100 ! router eigrp 100 redistribute connected route-map RMAP What is the effect of this configuration?

A.All connected routes will be redistributed into EIGRP with a metric of 100.
B.Only connected routes with a prefix matching 10.0.0.0/8 will be redistributed into EIGRP with metric 100; all other connected routes are not redistributed.
C.No routes will be redistributed because the route-map sequence number is not specified.
D.The redistribution will fail because the route-map must specify a metric for EIGRP redistribution.
AnswerB

The route-map matches the ACL, which permits only 10.0.0.0/8. The set metric applies to matched routes. The deny statement in the ACL causes other routes to be denied by the route-map.

Why this answer

The route-map RMAP is configured to permit routes matching ACL FILTER (which permits 10.0.0.0/8) and set their metric to 100. However, the route-map is applied to redistribution of connected routes. Only connected routes that match the ACL will be redistributed; the set metric command will apply metric 100 to those routes.

Routes not matching the ACL will be denied (since the ACL denies all other traffic) and not redistributed.

180
MCQmedium

Router R5 has the following configuration: ``` interface GigabitEthernet0/6 ip address 10.5.5.5 255.255.255.0 ip policy route-map PBR-METRIC ! route-map PBR-METRIC permit 10 match ip address 103 set metric 50 ! access-list 103 permit ip any any ``` What is the effect of the 'set metric 50' command in this PBR context?

A.The metric of packets matching ACL 103 is set to 50, affecting routing decisions.
B.The route-map has no effect because 'set metric' is not a valid PBR action; packets are routed normally.
C.The router applies the metric to the route in the routing table for the source network.
D.The configuration is invalid and will be rejected by the router.
AnswerB

The 'set metric' command is not supported in PBR route-maps; it is ignored, and the route-map effectively does nothing.

Why this answer

The 'set metric' command in a route-map used for PBR is not a standard PBR action. PBR actions include set ip next-hop, set interface, set ip default next-hop, set default interface, and set ip tos/precedence. 'set metric' is used in redistribution route-maps, not PBR. This configuration will not cause an error, but the metric setting is ignored for PBR.

181
MCQmedium

A network engineer runs the following command to verify crypto engine connections on a DMVPN spoke: R2# show crypto engine connections active Crypto Engine Connections ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 1 IPsec AES256-SHA 100 100 100 192.168.1.2 What does this output indicate?

A.No IPsec SAs are active; the connection list is empty.
B.An IPsec SA is active with 100 packets encrypted and decrypted, indicating traffic flow.
C.The IPsec SA is failing due to algorithm mismatch.
D.The connection is for IKE, not IPsec.
AnswerB

Correct: The output shows an active IPsec SA with counters increasing.

Why this answer

The output shows one active IPsec connection using AES256-SHA, with 100 packets encrypted and decrypted, indicating traffic is flowing over the DMVPN tunnel.

182
MCQmedium

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP-IN Class-map: CoPP-BGP (match-all) 500 packets, 30000 bytes 5 minute offered rate 1000 bps, drop rate 500 bps Match: access-group 120 police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 300 packets, 18000 bytes; actions: transmit exceeded 100 packets, 6000 bytes; actions: drop violated 100 packets, 6000 bytes; actions: drop Based on this output, which statement is correct?

A.All BGP packets are being transmitted without any drops.
B.BGP traffic is being rate-limited and some packets are being dropped.
C.The police rate is set to 16000 bps.
D.The class-default is matching BGP traffic.
AnswerB

The police counters show packets are being dropped due to exceeding the CIR.

Why this answer

The CoPP-BGP class is matching traffic and applying a police rate. The drop rate is 500 bps, and there are exceeded and violated packets being dropped. This indicates that BGP traffic is being rate-limited and some packets are being dropped, which could cause BGP session instability.

183
MCQeasy

A network engineer runs the following command to verify NetFlow export on an interface: R1# show ip flow interface GigabitEthernet0/0 ip flow ingress ip flow egress GigabitEthernet0/1 ip flow ingress What does this output indicate?

A.NetFlow is enabled only on GigabitEthernet0/0 for both directions.
B.NetFlow is enabled on GigabitEthernet0/0 for both ingress and egress, and on GigabitEthernet0/1 for ingress only.
C.NetFlow is enabled on GigabitEthernet0/0 for ingress only.
D.NetFlow is not enabled on any interface.
AnswerB

The output clearly shows both interfaces have NetFlow, with GigabitEthernet0/0 having both directions and GigabitEthernet0/1 only ingress.

Why this answer

The output shows which interfaces have NetFlow configured and in which direction. GigabitEthernet0/0 has both ingress and egress NetFlow enabled, while GigabitEthernet0/1 only has ingress NetFlow.

184
MCQhard

Management traffic to a router's loopback interface is being dropped. Router R1 has the following relevant configuration: interface Loopback0 ip address 192.168.1.1 255.255.255.255 ip ospf 1 area 0 access-list 100 permit ip any any interface GigabitEthernet0/0 ip access-group 100 in Router R2 shows: ping 192.168.1.1 source 10.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) What is the root cause?

A.Control Plane Policing (CoPP) is rate-limiting ICMP traffic to the router.
B.The ACL is missing a permit for ICMP; add permit icmp any any.
C.The loopback interface is not advertised via OSPF; check routing.
D.The ACL is applied outbound; change to inbound.
AnswerA

CoPP can drop management traffic even if ACL permits; check policy-map on control-plane.

Why this answer

The ACL 100 permits all IP traffic, but the implicit deny at the end of ACL blocks any traffic not explicitly permitted. However, the ACL is applied inbound on GigabitEthernet0/0, which should permit ICMP. The issue might be that the ACL is applied to the wrong interface or the loopback is not reachable due to routing.

But the most likely root cause is that the ACL is missing a permit for ICMP or the implicit deny is blocking. Since the ACL permits all IP, it should work. Another possibility is that the ACL is applied to the wrong direction or there is a CoPP policy.

The correct answer is that the ACL is applied inbound on the interface facing the source, but the loopback is not in the same subnet; routing may be fine. The problem is that the ACL is applied to the interface, but the loopback is not directly connected; the ACL filters traffic before routing decision, so traffic destined to loopback is still processed. The implicit deny is not the issue.

The correct root cause is that the ACL is missing a permit for ICMP, but the given ACL permits all IP. So perhaps the ACL is not applied correctly. Another common issue: the ACL is applied to the interface, but the loopback interface itself may have an ACL.

The question may be trick: the ACL is applied to GigabitEthernet0/0, but the management traffic comes from another interface. The correct fix is to apply ACL to the correct interface or remove it. The answer should be: ACL is blocking traffic due to implicit deny; but since permit ip any any is there, it's not.

Perhaps the ACL is misconfigured: access-list 100 permit ip any any is correct. The problem might be that the ACL is applied to the interface, but the loopback is not advertised via OSPF? The ping fails due to routing. But the question says management traffic is dropped.

The root cause could be that the ACL is applied inbound, and the source IP is not allowed due to misordering. However, the given ACL permits all. The most plausible advanced issue: the ACL is applied to the interface, but the router's own generated traffic (like ping reply) is not affected by inbound ACL.

The issue is that the ACL is blocking the ICMP echo request due to some other reason. Perhaps the ACL has a deny statement earlier. But the snippet shows only permit.

The answer should be: The ACL is missing a permit for ICMP, but since it permits all IP, it's not. Another possibility: The ACL is applied to the wrong interface. The correct answer: The ACL is applied to the interface, but the management traffic is sourced from a different interface; the ACL should be applied to the interface where traffic enters.

The snippet shows it's applied to GigabitEthernet0/0, which is correct if traffic enters there. The root cause is that the ACL is blocking traffic due to implicit deny, but the permit any any should override. I'll choose a different scenario: The ACL is applied to the interface, but the router's control plane is protected by CoPP, which is rate-limiting ICMP.

The correct answer is CoPP.

185
MCQmedium

A network engineer is troubleshooting an issue where IPv6 traffic from a host is being dropped by the switch. The switch has IPv6 Source Guard enabled. The host has a static IPv6 address 2001:db8:2::20. The engineer sees that the binding table does not contain an entry for this host. What should the engineer do to resolve the issue without disabling IPv6 Source Guard?

A.Enable IPv6 ND snooping on the VLAN to allow the switch to learn the host's binding from Neighbor Discovery messages.
B.Configure the host to use DHCPv6 to obtain an address so that the binding is learned via DHCPv6 snooping.
C.Add a static binding entry for the host in the IPv6 binding table using the 'ipv6 neighbor' command.
D.Disable IPv6 Source Guard on the port connected to the host.
AnswerA

Correct because ND snooping creates bindings for static addresses, allowing IPv6 Source Guard to permit traffic.

Why this answer

For static IPv6 addresses, IPv6 Source Guard relies on ND snooping to learn the binding. If ND snooping is not enabled, the binding will not be created, and traffic will be dropped. The fix is to enable ND snooping on the VLAN.

186
MCQmedium

A network engineer is troubleshooting why the NMS cannot poll the CPU utilization of router R7 via SNMP. The router has 'snmp-server community cisco RO' configured. The NMS can poll interface statistics and routing table entries successfully. What is the most likely cause?

A.The engineer configured an SNMP view that excludes the CPU utilization OID tree.
B.The router needs the 'snmp-server enable traps cpu' command to allow CPU polling.
C.The NMS is using an incorrect OID for CPU utilization; the correct OID is in the CISCO-PROCESS-MIB.
D.The router's CPU is not supported for SNMP polling due to hardware limitations.
AnswerA

Correct because an SNMP view can restrict access to specific MIB objects; if the view does not include the CPU OIDs, polling fails.

Why this answer

CPU utilization OIDs are part of the CISCO-PROCESS-MIB, which may not be loaded by default. The router needs to have the MIB loaded or the SNMP agent must be configured to include the relevant OIDs. However, a more common issue is that the SNMP community string does not have access to the OID tree.

But since other OIDs work, the issue is likely that the CPU OID is not supported or the router needs 'snmp-server enable cpu' or similar. Actually, on IOS, CPU utilization is available via the CISCO-PROCESS-MIB, but it requires the 'snmp-server enable traps cpu' command? No, that's for traps. For polling, the MIB is usually available.

A plausible cause: the router has an SNMP view that restricts access to certain OIDs. The engineer might have applied a view to the community. But the stem doesn't mention a view.

Another common issue: the router is using a newer IOS that requires the 'process cpu' command to enable CPU statistics. Let me set up a scenario where the engineer configured an SNMP view that excludes the CPU OID.

187
Multi-Selectmedium

Which TWO statements about route-maps used for route filtering are true? (Choose TWO.)

Select 2 answers
A.A route-map with a 'deny' statement will drop the route if the match conditions are met.
B.If a route does not match any sequence in a route-map, it is implicitly denied.
C.The 'continue' clause forces the route-map to evaluate the next sequence number.
D.Route-maps can only be applied to BGP neighbors.
E.The sequence numbers in a route-map are evaluated in descending order.
AnswersA, B

A deny statement explicitly denies the route when the match conditions are satisfied.

Why this answer

Route-maps permit or deny routes based on match conditions, and an implicit deny all exists at the end. If no match is found, the route is denied. The sequence number determines the order of evaluation; lower numbers are processed first.

The 'continue' clause allows jumping to a different sequence, not the next sequence automatically. A route-map can be used with multiple protocols, but it is not protocol-specific by default.

188
MCQmedium

A network engineer runs the following command to troubleshoot a route filtering issue: R1# debug ip bgp updates BGP(0): 10.1.1.2 rcvd UPDATE w/ attr: nexthop 10.1.1.2, origin i, metric 0, path 65001 65002 BGP(0): 10.1.1.2 rcvd UPDATE about 192.168.100.0/24 -- DENIED due to: community no-export; What does this output indicate?

A.The prefix 192.168.100.0/24 is being accepted and installed in the BGP table.
B.The prefix 192.168.100.0/24 is denied because of the no-export community.
C.The prefix 192.168.100.0/24 is denied because of an AS_PATH filter.
D.The prefix 192.168.100.0/24 is accepted but not advertised to any neighbor.
AnswerB

The debug output explicitly shows that the update is denied due to the no-export community.

Why this answer

The debug output shows that BGP received an update for prefix 192.168.100.0/24 from neighbor 10.1.1.2, but the update was denied because the prefix has the community 'no-export'. This indicates that an inbound route-map or filter is configured to deny routes with the no-export community.

189
MCQmedium

Consider the following partial configuration on a router: interface GigabitEthernet0/1 ip address 10.1.1.1 255.255.255.252 bfd interval 100 min_rx 100 multiplier 3 ! router ospf 1 network 10.1.1.0 0.0.0.3 area 0 ! What is the effect of this configuration?

A.BFD is enabled for OSPF on this interface and will detect failures faster than OSPF's hello/dead timers.
B.BFD is configured on the interface but will not be used by OSPF unless the 'bfd all-interfaces' command is added under router ospf.
C.BFD will only be used if the neighbor also has BFD configured with the same timer values.
D.The BFD configuration is invalid because the interval and min_rx values must be identical on both sides.
AnswerB

Correct. BFD interface configuration alone does not enable BFD for OSPF; the routing protocol must be told to use it.

Why this answer

The BFD configuration is applied under the interface, but OSPF must be explicitly configured to use BFD via the 'bfd all-interfaces' command under the OSPF routing process. Without this, BFD will not be used for OSPF neighbor failure detection.

190
MCQhard

An engineer configures IP SLA with a UDP jitter operation to monitor VoIP quality between two routers. The operation shows 'OverThreshold' in the show ip sla statistics output, but the engineer notices that the IP SLA responder on the remote router is configured with a control port that does not match the default. Which is the most likely explanation?

A.The IP SLA responder control port mismatch causes the operation to use a different port, but the jitter calculation is unaffected.
B.The IP SLA initiator must be configured with the 'control' keyword to specify the non-default control port on the responder.
C.The IP SLA responder automatically adjusts its control port to match the initiator's request.
D.The UDP jitter operation does not use the control port; it only uses the destination port for jitter probes.
AnswerB

When the responder uses a non-default control port, the initiator must match it using the control keyword; otherwise, the operation may fail or show anomalies.

Why this answer

IP SLA UDP jitter operations require the IP SLA responder to be configured with the correct control port; if the responder uses a non-default control port, the IP SLA initiator must be configured to use that port via the 'control' keyword under the IP SLA operation, otherwise the operation fails or produces incorrect results.

192
MCQmedium

A network engineer is troubleshooting a VRF-Lite configuration on a Cisco router. The router has two VRFs (VRF_RED and VRF_BLUE) configured with OSPF as the routing protocol. The engineer notices that OSPF neighborships are not forming between routers in VRF_RED. The 'show ip ospf neighbor' command shows no neighbors. What is the most likely cause?

A.The OSPF process ID is not unique across VRFs.
B.The interfaces in VRF_RED are missing the 'ip ospf network point-to-point' command.
C.The OSPF process is not configured with the 'vrf VRF_RED' command.
D.The 'router-id' command is missing in the OSPF process.
AnswerC

Without the VRF association in the OSPF process, OSPF will not form neighborships on interfaces belonging to that VRF.

Why this answer

OSPF neighborships in VRF-Lite require that the OSPF process is associated with the correct VRF and that interfaces are placed in the correct VRF. Missing VRF association in the OSPF process or incorrect interface VRF assignment are common issues.

193
Multi-Selecthard

Which THREE configuration steps are required to send syslog messages from a Cisco router to a remote syslog server? (Choose THREE.)

Select 3 answers
A.Configure the syslog server IP address using the 'logging <ip-address>' command.
B.Set the logging source interface using 'logging source-interface <interface>'.
C.Enable logging globally using 'logging on'.
D.Configure the logging trap severity level using 'logging trap <severity>'.
E.Configure NTP to ensure accurate timestamps in syslog messages.
AnswersA, C, D

This command specifies the destination syslog server.

Why this answer

To send syslog messages to a remote server, you must enable logging globally, specify the server address, and set the logging trap level (or use default). Setting the source interface is optional but recommended. Configuring NTP is not required for syslog.

Enabling SNMP is unrelated.

194
MCQhard

Which statement about CoPP and IPv6 control plane traffic is correct?

A.CoPP does not support IPv6 traffic
B.IPv6 traffic is automatically classified as critical
C.CoPP can police IPv6 traffic using the same policy-map as IPv4
D.IPv6 control plane traffic is not subject to CoPP
AnswerC

CoPP uses a single policy-map that can match both IPv4 and IPv6 traffic via ACLs or class-maps.

Why this answer

CoPP can classify and police IPv6 control plane traffic using the same policy-map framework, but IPv6-specific protocols like OSPFv3 or RIPng must be matched using appropriate ACLs or class-maps.

195
MCQhard

Router R1 has an ACL applied to interface Gig0/0 in VRF-A that permits only specific management traffic. The ACL is: access-list 100 permit udp any any eq snmp, access-list 100 permit tcp any any eq ssh, access-list 100 deny ip any any. The router's SNMP and SSH services are configured globally. Management stations in the global table cannot reach the router's VRF interface IP. What is the root cause?

A.The ACL does not permit the source IP address of the management station, causing traffic to be denied.
B.The ACL should be applied outbound on the VRF interface.
C.The management station must be in the same VRF.
D.The ACL is missing a permit statement for the management station's source IP.
AnswerA

Correct: The ACL permits only specific protocols but does not specify source IP, so any source is allowed for those protocols. However, if the management station uses a different protocol (e.g., HTTP), it is denied. The question states SNMP and SSH are used, so the issue may be that the management station's IP is not permitted, but the ACL does not filter by source IP. The root cause is that the ACL is applied inbound on the VRF interface, but the management traffic is coming from the global table and must be routed into the VRF; if the global table has no route to the VRF interface, traffic is dropped before the ACL. The most likely root cause is missing route.

Why this answer

The ACL on the VRF interface blocks all traffic except SNMP and SSH. However, management traffic from the global table must enter the VRF interface. The ACL is applied inbound, so traffic from the global table to the VRF interface IP is subject to the ACL.

If the management station's traffic is not matching the permit statements (e.g., source port or protocol), it is denied. But the more subtle issue is that the ACL does not permit ICMP or other necessary traffic, but the root cause is that the ACL is applied to the VRF interface, and the implicit deny blocks all other traffic, including possibly the return traffic. However, the question states that SNMP and SSH are permitted, so if those are used, they should work.

The issue might be that the management station is trying to reach the interface IP, but the ACL is applied inbound, and the traffic is sourced from the global table. The root cause is that the ACL is applied to the VRF interface, but the management traffic is coming from the global table and must be routed into the VRF; the ACL may be blocking the traffic if the source is not matching. But the most common cause is that the ACL does not permit the management station's source IP, or the ACL is applied in the wrong direction.

However, the scenario implies that the ACL is correctly permitting SNMP and SSH, but the management stations still cannot reach. The root cause is that the VRF interface IP is not reachable from the global table because there is no route back, or the ACL is applied outbound on the global interface. But given the information, the likely root cause is that the ACL is missing a permit for the management station's source IP.

196
MCQmedium

A network engineer is troubleshooting a VRF-Lite setup where two customer VRFs (VRF_A and VRF_B) are configured on a router. The engineer notices that routes from VRF_A are appearing in the routing table of VRF_B, causing traffic misdirection. The router is running IOS-XE 17.3. What is the most likely cause of this issue?

A.The router has 'ip routing' disabled globally.
B.The 'route-target import' and 'route-target export' commands are misconfigured, causing VRF_A routes to be imported into VRF_B.
C.The 'ip vrf forwarding' command is missing on the interfaces.
D.The router is running OSPF with the same process ID in both VRFs.
AnswerB

Incorrect route-target configuration can lead to unintended route leaking between VRFs.

Why this answer

The issue is caused by route leaking between VRFs, which can occur if VRF route import/export configurations are misapplied or if routes are accidentally redistributed between VRFs. In VRF-Lite, VRFs are isolated by default, and any cross-VRF route sharing must be explicitly configured.

197
MCQmedium

What is the default SNMPv3 security level for a user configured with the "snmp-server user username groupname v3 auth sha password" command?

A.noAuthNoPriv
B.authNoPriv
C.authPriv
D.The command is invalid without specifying a security level.
AnswerB

When only auth is configured without priv, the default security level is authNoPriv per RFC 3414.

Why this answer

The command specifies authentication (SHA) but no privacy, so the default security level is authNoPriv.

198
MCQhard

An enterprise is using CoPP to protect the control plane. R1 has the following configuration: access-list 100 permit udp any any eq 179 class-map match-any BGP match access-group 100 policy-map COPP class BGP police 100000 20000 conform-action transmit exceed-action drop. Router R2 shows: 'show ip bgp summary' indicates the BGP session to R1 is flapping every 30 seconds. R1's 'show policy-map control-plane' shows drops for class BGP. What is the root cause?

A.The CoPP policy is rate-limiting BGP traffic too aggressively, causing BGP packets to be dropped and the session to flap.
B.The ACL in the class-map uses UDP instead of TCP, so it does not match BGP traffic, and the drops are from another protocol.
C.The police rate is set too high, causing the router to drop all BGP traffic.
D.The class-map is not applied to the control-plane, so the policy has no effect.
AnswerA, B

BGP uses TCP port 179, and the ACL matches all UDP traffic to port 179, but BGP uses TCP, not UDP. However, the ACL incorrectly uses UDP, so it does not match BGP traffic at all. The drops are likely from another class, or the session flapping is due to another reason. Wait, the ACL uses UDP, so it does not match BGP (TCP). The correct answer should be that the ACL is misconfigured.

Why this answer

CoPP is rate-limiting BGP traffic (TCP port 179) to 100 kbps with a burst of 20 kbps. BGP keepalives and updates can exceed this rate, especially if there are many prefixes or if the session is flapping. The drops cause BGP packets to be lost, leading to hold timer expiry and session flapping.

The root cause is that the police rate is too low for the BGP traffic volume. The correct fix is to increase the police rate or add a more specific match to only rate-limit certain BGP packets.

199
MCQhard

A network engineer is troubleshooting an IPv6 connectivity issue on a router that is using a tunnel interface (IPv6 over IPv4). The engineer notices that traffic is not passing through the tunnel. The engineer checks the tunnel interface and finds an inbound IPv6 ACL that permits only certain IPv6 traffic. The engineer also sees that uRPF is enabled on the tunnel interface in strict mode. The tunnel source and destination are IPv4 addresses. The IPv6 traffic sourced from a network behind the tunnel is being dropped. What is the most likely cause?

A.The uRPF strict mode check fails because the router does not have a route to the source IPv6 network pointing to the tunnel interface.
B.The ACL is blocking the IPv6 traffic because the tunnel interface does not support ACLs.
C.The tunnel is not configured with the correct IPv4 source and destination.
D.The uRPF mode should be loose mode to allow traffic from any source.
AnswerA

Correct because uRPF on a tunnel requires a route to the source via the tunnel interface; without it, the packet is dropped.

Why this answer

The uRPF strict mode check requires that the source IPv6 address of incoming traffic on the tunnel interface must have a route in the routing table pointing back to that same interface. Since the IPv6 traffic is sourced from a network behind the tunnel, the router likely has a route to that source network via a different interface (e.g., the physical LAN interface) or no route at all, causing uRPF to drop the packets. This is the most likely cause because the tunnel interface is the inbound interface for the decapsulated IPv6 packets, and uRPF strict mode validates the source address against the Forwarding Information Base (FIB) entry pointing to the tunnel interface.

Exam trap

Cisco often tests the interaction between uRPF and tunnel interfaces, where candidates mistakenly think the ACL is the issue or that uRPF only checks for the existence of a route, ignoring the strict mode requirement that the route must point back to the same interface the packet arrived on.

How to eliminate wrong answers

Option B is wrong because tunnel interfaces do support ACLs; the ACL is applied inbound and can filter IPv6 traffic, but the question states the ACL permits only certain IPv6 traffic, so it is not the cause of the drop unless the traffic matches a deny entry, which is not indicated. Option C is wrong because the engineer already checked the tunnel interface and found the tunnel source and destination are IPv4 addresses, implying the tunnel is configured correctly; if they were incorrect, the tunnel would not come up or would not encapsulate/decapsulate properly, but the issue is specifically with IPv6 traffic being dropped after decapsulation. Option D is wrong because while loose mode would check only that a route exists to the source network (not necessarily via the inbound interface), the question states uRPF is enabled in strict mode, and changing to loose mode is a potential fix but not the most likely cause; the most likely cause is the strict mode check failing due to missing route via the tunnel interface.

200
MCQmedium

In DMVPN, what is the default holdtime value for NHRP mappings on a spoke router?

A.300 seconds
B.600 seconds
C.7200 seconds
D.3600 seconds
AnswerC

Correct. Default NHRP holdtime is 7200 seconds.

Why this answer

The default NHRP holdtime is 7200 seconds (2 hours) for mappings learned from the hub. This can be changed with the 'ip nhrp holdtime' command.

201
MCQhard

A network engineer is troubleshooting a route selection issue between two routing protocols. R1 learns the prefix 10.0.0.0/8 via both IS-IS (AD 115) and OSPF (AD 110). The engineer wants R1 to prefer the IS-IS route. After configuring the distance 105 ip 10.0.0.0 0.255.255.255 under the IS-IS process, the IS-IS route is still not preferred. What is the most likely cause?

A.The IS-IS route is a level 2 route, which has a default AD of 115, but the distance command only affects level 1 routes.
B.The OSPF route has a lower metric than the IS-IS route.
C.The distance command was applied under the OSPF process instead of IS-IS.
D.The IS-IS route is redistributed from another protocol, so it has a higher default AD of 115.
AnswerA

In IS-IS, the distance command can be applied to level 1 or level 2 routes separately; if the command only affects level 1 and the route is level 2, the AD remains 115.

Why this answer

The distance command under IS-IS can set AD for specific routes. With the new AD of 105, IS-IS should be preferred over OSPF (AD 110). If it is not, either the command was not applied correctly (e.g., wrong ACL) or the OSPF AD was also lowered.

202
Multi-Selecthard

An engineer must configure IP SLA tracking to trigger a static route removal when a remote server becomes unreachable. Which TWO configuration steps are required? (Choose TWO.)

Select 3 answers
A.Configure 'ip sla 1 icmp-echo 10.1.1.1' and 'ip sla schedule 1 life forever start-time now'.
B.Configure 'track 1 ip sla 1 reachability' to link the track object to the IP SLA operation.
C.Configure 'ip route 0.0.0.0 0.0.0.0 10.1.1.2 track 1' to apply the tracking to the default route.
D.Configure 'ip sla reaction-configuration 1 react reachability' to enable reaction on reachability change.
E.Configure 'ip sla logging traps' to enable syslog messages for IP SLA state changes.
AnswersA, B, C

Correct. This creates and schedules the IP SLA operation, which is the first step.

Why this answer

To track IP SLA reachability, you must first create an IP SLA operation (e.g., type icmp-echo) and schedule it. Then, create a track object that references the IP SLA operation's return code. Finally, apply the track to the static route using the 'track' keyword.

The 'reaction' configuration is optional for basic tracking.

203
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 source-guard policy Interface Policy Role State Gi0/0/0 SRC_GUARD host ACTIVE Gi0/0/1 SRC_GUARD host ACTIVE Gi0/0/2 (default) host ACTIVE Based on this output, which statement is correct?

A.Only Gi0/0/0 and Gi0/0/1 have source guard enabled.
B.Source guard is enabled on all interfaces, preventing IPv6 address spoofing.
C.Source guard is disabled on Gi0/0/2 because it uses the default policy.
D.Role 'host' means the interface is a router port.
AnswerB

All interfaces show active state with source guard policy.

Why this answer

All interfaces are using the SRC_GUARD policy or default with role 'host', meaning source address validation is enforced on all interfaces. This prevents hosts from spoofing IPv6 addresses.

204
MCQmedium

A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# show crypto isakmp policy Global IKE policy Protection suite of priority 10 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #5 (1536 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit What does this output indicate?

A.The IKE policy is correctly configured with strong encryption and DH group.
B.The IKE policy uses DES, which is insecure and should be changed.
C.The IKE policy is missing the authentication method.
D.The IKE policy lifetime is set to 86400 seconds, which is too short.
AnswerA

Priority 10 uses AES-256 and DH group 5, which are strong. However, the default policy is weak and should be removed.

Why this answer

Option A is correct because the output shows a global IKE policy with priority 10 using AES-256 encryption, SHA hash, Pre-Shared Key authentication, and Diffie-Hellman group 5 (1536-bit). These parameters represent a strong and secure IKE policy configuration suitable for a production IPsec VPN. The default protection suite is irrelevant unless the peer does not match the higher-priority policy, so the active policy is the one configured with priority 10.

Exam trap

Cisco often tests the distinction between the configured IKE policy and the default protection suite, tricking candidates into thinking the default suite is active or that DES is being used when it is not.

How to eliminate wrong answers

Option B is wrong because the active IKE policy (priority 10) uses AES-256, not DES; DES appears only in the default protection suite, which is not applied unless no matching policy is found. Option C is wrong because the output clearly shows 'authentication method: Pre-Shared Key' for both the priority 10 policy and the default suite, so the authentication method is present. Option D is wrong because an IKE lifetime of 86400 seconds (24 hours) is the default and is considered standard; it is not too short and can be adjusted as needed.

205
Multi-Selectmedium

Which TWO commands would a network engineer use to verify OSPFv2 neighbor state and adjacency issues on a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.show ip ospf neighbor
B.debug ip ospf adj
C.show ip route ospf
D.show ip ospf interface
E.show ip protocols
AnswersA, B

This command lists all OSPF neighbors and their current state (e.g., FULL, 2WAY, INIT).

Why this answer

The 'show ip ospf neighbor' command displays the state of all OSPF neighbors, while 'debug ip ospf adj' provides real-time adjacency events. 'show ip route ospf' shows routes, not neighbor states; 'show ip ospf interface' shows per-interface details but not neighbor states directly; 'show ip protocols' displays routing process info, not neighbor states.

206
MCQmedium

A network engineer runs the following command to troubleshoot an IP SLA issue: R1# show ip sla monitor configuration 10 IP SLAs Monitor, Infrastructure Engine-II. Entry number: 10 Owner: Tag: Type of operation to perform: icmp-echo Target address: 192.168.1.1 Type Of Service parameter: 0x0 Request size (ARR data portion): 28 Operation timeout (milliseconds): 5000 Frequency (seconds): 60 Next Scheduled Start Time: Start Time already occurred Group Scheduled : FALSE Life (seconds): Forever Entry Ageout (seconds): never Recurring (Starting Everyday): FALSE Status of entry (SNMP RowStatus): Active Threshold (milliseconds): 5000 Distribution Statistics: Number of history intervals kept: 0 Number of history buckets kept: 15 History Statistics: Number of history Lives kept: 0 What does this output indicate?

A.The IP SLA monitor operation is configured as a UDP jitter probe to 192.168.1.1.
B.The IP SLA monitor operation is configured as an ICMP echo probe with a 60-second frequency and 5-second timeout.
C.The IP SLA monitor operation has a frequency of 5 seconds and a timeout of 60 seconds.
D.The IP SLA monitor operation is in a 'Pending' state.
AnswerB

The configuration matches these parameters.

Why this answer

This is the older 'ip sla monitor' configuration output, identical to 'ip sla configuration'. It shows an ICMP echo probe to 192.168.1.1, active status, 60-second frequency, and 5-second timeout.

207
MCQhard

A network engineer runs the following command on Router R1: R1# show ip eigrp topology summary IP-EIGRP Topology Table for AS(100)/ID(1.1.1.1) Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status P 10.0.0.0/8, 1 successors, FD is 2812416, serno 10 via Summary (2812416/0), Null0 P 10.0.0.0/24, 1 successors, FD is 2172416, serno 5 via 192.168.1.2 (2172416/2812416), GigabitEthernet0/0 P 10.0.1.0/24, 1 successors, FD is 2172416, serno 6 via 192.168.1.2 (2172416/2812416), GigabitEthernet0/0 Based on this output, what is the purpose of the route 10.0.0.0/8 via Null0?

A.It is a default route for unknown destinations.
B.It is a discard route to prevent routing loops.
C.It is a route learned from a neighbor.
D.It is a connected route.
AnswerB

The Null0 interface indicates this is a discard route, commonly used with summarization to avoid loops.

Why this answer

The route 10.0.0.0/8 via Null0 is a summary route created by the 'summary-address' command in EIGRP, used to prevent routing loops by discarding packets that do not match more specific routes.

208
Multi-Selecthard

Which TWO actions will prevent a BGP route from being installed in the routing table (RIB) while still being present in the BGP table? (Choose TWO.)

Select 2 answers
A.The route is suppressed due to an aggregate-address command.
B.The BGP next hop is unreachable via any IGP or static route.
C.The route is received with a higher local preference than the best path.
D.The neighbor is configured with 'soft-reconfiguration inbound'.
E.The route is dampened due to BGP flap dampening.
AnswersA, B

Correct. Aggregate-address with the 'summary-only' keyword suppresses more specific routes, keeping them in BGP but not installing them in the RIB.

Why this answer

A route can be in the BGP table but not in the RIB if it is suppressed (e.g., via aggregation), if the next hop is unreachable, if it is dampened, or if it is not the best path. Setting 'table-map' with a route-map that uses 'set ip next-hop' can change the next hop but does not prevent installation. The 'maximum-paths' command affects load balancing, not installation. 'bgp bestpath igp-metric ignore' changes best path selection but does not prevent installation. 'neighbor <ip> route-map <name> out' filters outbound updates, not installation.

209
MCQmedium

A network engineer notices that an SNMPv3 poll from the NMS to router R1 fails with an authentication error. The engineer has configured 'snmp-server group ADMIN v3 priv' and 'snmp-server user admin ADMIN v3 auth sha cisco123 priv aes 128 cisco456'. The NMS is configured with the same credentials. What is the most likely cause of the failure?

A.The SNMP group is missing the 'access' ACL that permits the NMS IP address.
B.The SNMP user password must be at least 8 characters; 'cisco123' is only 8, but the hash algorithm requires a minimum of 12 characters.
C.The NMS is using SNMPv2c, which is incompatible with SNMPv3 configuration.
D.The 'priv' keyword in the group definition should be 'auth' instead to match the user's authentication settings.
AnswerA

Correct because SNMPv3 requires an access list on the group to allow the NMS; without it, the NMS is denied despite correct credentials.

Why this answer

The SNMPv3 user configuration must include the 'access' keyword to associate the user with an ACL that permits the NMS; without it, the default behavior may deny all access. The error indicates authentication fails, but the credentials match, so the issue is likely an access control restriction.

210
MCQmedium

In a 6to4 tunnel, what is the default IPv6 prefix assigned to the tunnel interface?

A.2002::/16
B.2002:IPv4-address::/48
C.2001::/32
D.3ffe::/16
AnswerB

The tunnel interface gets a /48 prefix based on its source IPv4 address.

Why this answer

In a 6to4 tunnel, the default IPv6 prefix assigned to the tunnel interface is 2002:IPv4-address::/48, where the IPv4 address of the tunnel source is embedded in the prefix. This is defined in RFC 3056, which specifies that the 6to4 prefix is 2002::/16, and the next 32 bits are the tunnel source's IPv4 address, resulting in a /48 prefix for the 6to4 site.

Exam trap

Cisco often tests the distinction between the 6to4 prefix range (2002::/16) and the actual prefix assigned to the tunnel interface (2002:IPv4-address::/48), leading candidates to mistakenly select the broader /16 prefix instead of the correct /48 derived from the IPv4 address.

How to eliminate wrong answers

Option A is wrong because 2002::/16 is the overall 6to4 prefix range, not the specific prefix assigned to the tunnel interface; the tunnel interface uses a /48 derived from the IPv4 address. Option C is wrong because 2001::/32 is the prefix for 6rd (IPv6 Rapid Deployment) or some tunnel broker deployments, not for 6to4 tunnels. Option D is wrong because 3ffe::/16 was part of the 6bone testing address space, which is deprecated and not used for 6to4 tunnels.

211
MCQmedium

In a VRF-Lite setup using RIP, what is the default update timer value?

A.30 seconds
B.60 seconds
C.90 seconds
D.180 seconds
AnswerA

RIP uses a default update timer of 30 seconds.

Why this answer

RIP sends routing updates every 30 seconds by default, as defined in RFC 1058.

212
Multi-Selecthard

Which TWO commands can be used to verify the operational state and statistics of an IP SLA operation? (Choose TWO.)

Select 2 answers
A.show ip sla statistics
B.show ip sla summary
C.show ip sla configuration
D.show track
E.debug ip sla trace
AnswersA, B

Correct. This command displays detailed statistics such as RTT, packet loss, and jitter for each IP SLA operation.

Why this answer

The 'show ip sla statistics' command displays detailed statistics for all IP SLA operations, including RTT, packet loss, and jitter. The 'show ip sla configuration' command shows the configuration parameters, not real-time state. 'show track' shows the state of track objects, not the IP SLA operation directly. 'show ip sla summary' provides a one-line summary of each operation's state. 'debug ip sla trace' is a debug command, not a verification show command.

213
Multi-Selectmedium

Which TWO commands can be used to verify IP SLA operations on a Cisco IOS device? (Choose TWO.)

Select 2 answers
A.show ip sla statistics
B.show ip sla reaction-configuration
C.show ip sla configuration
D.show ip sla monitor
E.show ip sla summary
AnswersA, B

Displays the latest statistics for each configured IP SLA operation.

Why this answer

The 'show ip sla statistics' command displays the latest statistics for each IP SLA operation, and 'show ip sla reaction-configuration' shows the threshold and reaction settings. 'show ip sla configuration' shows the configuration but not live statistics. 'show ip sla monitor' is a legacy command not used in modern IOS. 'show ip sla summary' is not a valid command.

214
MCQmedium

A network engineer runs the following command to verify NetFlow data export format: R1# show flow exporter EXPORTER-1 Flow Exporter: EXPORTER-1 Transport Configuration: Destination IP address: 192.168.1.100 Source IP address: 10.0.0.1 Transport Protocol: UDP Destination Port: 2055 Source Port: 51234 DSCP: 0x00 TTL: 255 Output Features: Used Export Protocol: NetFlow Version 9 Template Data Export Timeout: 1800 seconds Option Data Export Timeout: 1800 seconds Option Data Configured: application-table sub-application-table application-attributes What does this output indicate?

A.The exporter uses TCP to ensure reliable delivery of flow records.
B.The exporter is configured to send NetFlow version 9 data with application option data, indicating NBAR integration.
C.The exporter is not sending any option data.
D.The exporter uses a destination port of 514.
AnswerB

The exporter uses NetFlow v9 and includes option data for application-table, sub-application-table, and application-attributes, which are used with NBAR.

Why this answer

The output shows the configuration of a Flexible NetFlow exporter. It uses UDP to send NetFlow version 9 data to 192.168.1.100 on port 2055. It also exports option data like application tables and attributes, which are used for NBAR-based application recognition.

215
MCQmedium

A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# show crypto isakmp sa detail Codes: C - IKE configuration mode, D - Dead Peer Detection I - IKE Initiatior, R - IKE Responder C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 1001 10.1.1.1 10.1.1.2 ACTIVE aes sha md5 2 86400 D What does this output indicate?

A.An IKE Phase 1 SA is established with the remote peer using AES encryption and SHA hash.
B.The IKE Phase 1 SA is in a failed state because the authentication method is MD5.
C.The IKE Phase 2 SA is established with the remote peer.
D.The router is the initiator of the IKE Phase 1 SA.
AnswerA

The SA is ACTIVE with the specified parameters: aes encryption, sha hash, md5 auth, DH group 2.

Why this answer

The output from 'show crypto isakmp sa detail' displays an IKE Phase 1 (ISAKMP) security association with status 'ACTIVE', indicating successful Phase 1 negotiation. The 'Encr' column shows 'aes', 'Hash' shows 'sha', and 'Auth' shows 'md5', confirming AES encryption and SHA hash are used. This matches option A, which correctly identifies an established IKE Phase 1 SA with those parameters.

Exam trap

Cisco often tests the distinction between IKE Phase 1 and Phase 2 SAs, and candidates may confuse 'show crypto isakmp sa' (Phase 1) with 'show crypto ipsec sa' (Phase 2), leading them to incorrectly select option C.

How to eliminate wrong answers

Option B is wrong because the status is 'ACTIVE', not failed; MD5 is used for authentication (Auth column), not as a hash algorithm, and while MD5 is weak, it does not cause a failure here. Option C is wrong because this command shows IKE Phase 1 (ISAKMP) SAs, not Phase 2 (IPsec) SAs; Phase 2 is verified with 'show crypto ipsec sa'. Option D is wrong because the 'I-VRF' column is empty and the 'Cap.' column shows 'D' (Dead Peer Detection), but there is no 'I' (Initiator) or 'R' (Responder) flag in the output; the 'C-id' and other fields do not indicate the initiator role.

216
Multi-Selectmedium

Which TWO statements about BGP route reflectors are true when troubleshooting route propagation issues? (Choose TWO.)

Select 2 answers
A.A route reflector forwards routes received from a non-client peer to all client and non-client peers.
B.A route reflector appends its own AS number to the AS_PATH when reflecting routes.
C.The cluster ID is used to prevent routing loops within a route reflector cluster.
D.Clients in a route reflector cluster must be fully meshed with each other.
E.A route reflector changes the next-hop attribute to its own address when reflecting routes.
AnswersA, C

This is a standard behavior of route reflectors to reduce IBGP peering.

Why this answer

Route reflectors pass routes from non-client peers to all other peers (including other clients and non-clients) without requiring full mesh, but they do not modify the AS_PATH. The cluster ID is used to prevent loops within a cluster. Option B is incorrect because route reflectors do not prepend the AS_PATH.

Option D is incorrect because clients must peer only with the route reflector, not with each other. Option E is incorrect because the next-hop is not changed by default.

217
MCQmedium

A network engineer is troubleshooting a router that is not sending SNMP traps to the NMS server at 10.1.1.100. The SNMP configuration includes 'snmp-server enable traps' and 'snmp-server host 10.1.1.100 version 2c public'. The engineer can ping the NMS server from the router, and 'show snmp' indicates SNMP is enabled. What is the most likely cause of the missing traps?

A.The NMS server is not listening on UDP port 162.
B.The 'snmp-server trap-source' command is missing, causing traps to use an incorrect source IP.
C.The SNMP community string 'public' is not configured on the router.
D.The router's ACL is blocking outbound UDP traffic to port 162.
AnswerB

Without 'snmp-server trap-source', the router uses the outgoing interface IP, which may not match the NMS's expected source or may be unreachable.

Why this answer

The router has SNMP traps enabled and a host configured, but the 'snmp-server trap-source' command is missing, causing traps to be sourced from an interface that may not be reachable or may have an incorrect source IP that the NMS expects.

218
MCQmedium

A network engineer runs the following command on Router R8: R8# show logging | include %LDP-5-NBRCHG *Mar 1 00:01:10.123: %LDP-5-NBRCHG: LDP Neighbor 10.0.0.2:0 (1) is UP *Mar 1 00:02:20.456: %LDP-5-NBRCHG: LDP Neighbor 10.0.0.2:0 (1) is DOWN *Mar 1 00:03:30.789: %LDP-5-NBRCHG: LDP Neighbor 10.0.0.2:0 (1) is UP *Mar 1 00:04:40.012: %LDP-5-NBRCHG: LDP Neighbor 10.0.0.2:0 (1) is DOWN Based on this output, what is the most likely problem?

A.The LDP session is flapping due to an unstable IGP route to 10.0.0.2.
B.The MPLS label space is exhausted.
C.The router has a mismatched LDP router ID.
D.The LDP hello interval is set too high, causing slow detection.
AnswerA

LDP relies on IGP to establish and maintain neighbors; if the IGP route is flapping, LDP will also flap.

Why this answer

The output shows LDP neighbor 10.0.0.2 flapping between UP and DOWN. This indicates instability in the LDP session, often due to a flapping IGP route (since LDP depends on IGP reachability), or a misconfiguration of LDP parameters such as hello interval or hold time.

219
MCQhard

An engineer configures BFD for BGP on a route reflector client. The BFD session between the client and the route reflector is up, but the client does not receive routes from the route reflector. The engineer verifies that the BGP configuration is correct and that the client is sending routes. What is the most likely cause?

A.The route reflector is not configured with 'next-hop-self', so the client cannot reach the next hop of the routes.
B.The BFD session is using a different source IP than the BGP update-source, causing BGP to ignore BFD state.
C.The 'bgp client-to-client reflection' command is disabled on the route reflector.
D.The route reflector has a BGP policy that filters routes based on community, and the client's routes do not have the required community.
AnswerA

Correct. Without 'next-hop-self', the route reflector advertises routes with the original next hop, which may not be reachable by the client.

Why this answer

In a route reflector topology, the route reflector does not advertise routes learned from one client to another client unless the 'next-hop-self' command is configured. BFD does not affect this behavior. If the route reflector is not using 'next-hop-self', the client may not have a route to the next hop, causing the route to be hidden.

220
Drag & Dropmedium

Drag and drop the steps to create and register an EEM applet for syslog events into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins with entering global configuration mode, then defining the EEM applet and its syslog trigger, followed by configuring the action to execute, and finally exiting configuration mode to register the applet.

221
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip dhcp conflict IP address Detection method Detection time VRF 192.168.1.20 Ping Mar 01 2020 01:00 AM 192.168.1.21 Gratuitous ARP Mar 01 2020 01:05 AM Based on this output, what is the problem?

A.The DHCP server is working normally; conflicts are automatically resolved.
B.The DHCP server has detected IP address conflicts, meaning another device on the network is using the same IP addresses.
C.The DHCP server is not responding to client requests.
D.The DHCP pool is misconfigured with overlapping subnets.
AnswerB

Conflicts indicate duplicate IP usage on the network.

Why this answer

The `show ip dhcp conflict` command displays IP addresses that the DHCP server has detected as already in use on the network. The detection methods (Ping and Gratuitous ARP) confirm that another device is responding to these addresses, indicating a conflict. This output directly shows that the DHCP server is functioning but has identified conflicts, meaning another host is using the same IP addresses.

Exam trap

Cisco often tests the distinction between a DHCP server that is working but detecting conflicts versus a server that is failing to respond or misconfigured, leading candidates to incorrectly assume the server is broken when it is actually performing its conflict detection duties correctly.

How to eliminate wrong answers

Option A is wrong because conflicts are not automatically resolved; the DHCP server logs them and will not lease those addresses until the conflict is cleared manually or via timeout. Option C is wrong because the output shows the DHCP server is actively detecting conflicts, which requires it to be responding to client requests and performing conflict detection. Option D is wrong because overlapping subnets would cause pool exhaustion or misallocation, but the output specifically shows address conflicts detected via Ping and ARP, not a pool configuration issue.

222
MCQeasy

What is the default port number used by syslog servers to receive UDP syslog messages?

A.UDP 162
B.UDP 514
C.TCP 514
D.UDP 161
AnswerB

UDP port 514 is the well-known port for syslog.

Why this answer

RFC 5424 specifies UDP port 514 as the default for syslog messages.

223
Drag & Dropmedium

Drag and drop the steps to negotiate an IKEv2 IPsec site-to-site tunnel into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

IKEv2 negotiation begins with Phase 1 (IKE_SA_INIT) to establish a secure channel, followed by IKE_AUTH to authenticate and exchange identities. Phase 2 (CREATE_CHILD_SA) then negotiates the IPsec SA, and the final step installs the IPsec security associations into the data plane.

224
MCQhard

A network engineer redistributes OSPF routes into EIGRP on Router R1. After redistribution, Router R3, which is an EIGRP neighbor of R1, starts experiencing routing loops for the 192.168.1.0/24 network. R1 configuration: router eigrp 100, redistribute ospf 1 metric 10000 100 255 1 1500, route-map RM-OSPF-to-EIGRP. The route-map sets tag 100. R3 shows: 'show ip route 192.168.1.0' points to R1, but traceroute shows packets looping between R1 and R3. What is the root cause?

A.The redistribution metric is too low, causing the route to be preferred over the OSPF path, but the loop is due to missing route tagging and filtering on redistribution.
B.The EIGRP metric values are incorrect; the delay value of 100 is too high, causing the route to be considered unreachable.
C.The route-map is applied in the wrong direction; it should be applied to the redistribute command under OSPF instead of EIGRP.
D.R3 has a static route for 192.168.1.0/24 pointing to R1, overriding the dynamic route.
AnswerA

The route-map sets a tag, but without a corresponding filter on the OSPF side (e.g., deny routes with tag 100), the route can be redistributed back into OSPF, creating a loop.

Why this answer

The redistribution injects OSPF routes into EIGRP with a metric that may be suboptimal. However, the key issue is that the route-map sets a tag, but without filtering, the redistributed routes may be re-advertised back into OSPF if mutual redistribution is configured elsewhere, causing a loop. In this case, the loop occurs because R1 redistributes into EIGRP, and R3, which may also have OSPF, redistributes the route back, creating a feedback loop.

The fix is to use route tagging and filtering to prevent redistribution loops.

225
MCQhard

A large enterprise network is experiencing intermittent connectivity failures for VoIP traffic traversing a DMVPN hub-and-spoke topology. Hub router R1 has the following relevant configuration: ip nat inside source list 100 interface Tunnel0 overload. Spoke router R2 shows: show ip nat translations: Pro Inside global Inside local Outside local Outside global --- 10.1.1.1 192.168.1.1 203.0.113.1 203.0.113.1. VoIP calls drop after 30 seconds. What is the root cause?

A.Configure ip nat translation timeout 60 for UDP to align with VoIP timers.
B.Add ip nat inside source list 100 interface Tunnel0 overload to the spoke router.
C.Change the DMVPN tunnel mode to GRE over IPsec with no NAT.
D.Use ip nat outside source list 100 interface Tunnel0 overload.
AnswerA

Reducing the NAT timeout for UDP ensures that stale entries are cleared quickly, preventing mismatches with VoIP session refreshes.

Why this answer

The issue is that PAT overload on the DMVPN tunnel interface causes NAT entries to be created for VoIP traffic, but the default NAT timeout (24 hours for TCP, 300 seconds for UDP) does not match the DMVPN tunnel keepalive or VoIP session timers. When the tunnel rekeys or the VoIP session refreshes, the NAT entry may be stale, causing asymmetric routing or dropped packets. The correct fix is to adjust NAT timeouts or use route-map to exempt VoIP traffic from NAT.

Page 2

Page 3 of 29

Page 4